It ‘Felt Fishy’: Game Operator Rebuffed Fake Data Request
The data request was in all caps and urgent: “EXIGENT CIRCUMSTANCE DISCLOSURE REQUEST IMPORTANT! PLEASE READ!”
The data request was in all caps and urgent: “EXIGENT CIRCUMSTANCE DISCLOSURE REQUEST IMPORTANT! PLEASE READ!” On March 13, the administrators of an online game marketed for children called Toontown Rewritten received an emergency request for user information that appeared to come from from a police captain in Bangladesh.
“We have reasonable suspicion to believe multiple individuals have engaged, acted and perpetrated in child porn distribution, blackmail and terroristic bomb threats against high levels of Bangladesh officials and family,” wrote “Captain Samuel Ramsel” of the Bhaka Cyber Crime Division, in an email.
Joey Ziolkowski, a founder of Toontown Rewritten, said something “felt fishy.”
“The request seemed legit. The email was from an official Bangladesh police account and did not seem spoofed as far as our technical security team could tell,” he said on Twitter. “We pressed further to ask for credentials and a proper subpoena for the information.”
Toontown's volunteer staff determined that the request was bogus, a claim backed by Allison Nixon, chief research officer at the cybersecurity firm Unit 221b, who reviewed the correspondence. She said the same Bangladeshi email address has been used to send emergency legal requests to other companies.
On Tuesday, Bloomberg News reported that Apple Inc., Alphabet Inc.'s Google, Meta Platforms Inc., Snap Inc, Twitter Inc. and Discord Inc. complied with fraudulent emergency data requests that were used in schemes to harass or sexually extort women, some of them minors. Law enforcement and cybersecurity experts consider the forged legal request sent from compromised law enforcement email addresses the newest tool used by hackers and online criminals to acquire personal information for personal attacks.
“I can't believe the one to finally break that silence publicly is ‘Toontown Rewritten,'” Nixon said, noting that most of the technology companies that have been duped “treated this as a shameful matter to be kept top secret.”
“They did what no big tech company could do and wrote a public advisory full of actionable information with the entire fake emergency data request,” she said.
The request appears to have come from a hacker who compromised the email system of the Dhaka Metropolitan Police, which operates in Bangladesh's capital and most populous city, according to Toontown Rewritten and a cybersecurity expert. The email contained an obvious clue: Dhaka was spelled incorrectly.
The Dhaka Cyber Crime Division in Bangladesh didn't respond to a request for comment. It couldn't be determined if Captain Samuel Ramsel is a real person.
The author of the email didn't respond to a request for comment.
The usernames and passwords of Bangladeshi police officials -- including some from the Dhaka Metropolitan Police -- were posted for sale on dark web marketplaces shortly before the email was sent to Toontown, Gene Yoo, chief executive officer of the cybersecurity firm Resecurity, which observed the credentials for sale. “The price ranges from anywhere to $27 to $30.”
The author of the email was persistent, writing several times over the course of a week after the Toontown staff pushed back. The targeted account belongs to someone believed to be an adult located outside the U.S., Ziolkowski said.
“This specific user created an emergency situation and Bangladesh citizens are under undue stress,” the author wrote. “Just send us whatever info you can and since its confidential we want it kept between law enforcement officials and Toontown Rewritten support staff only.”
The volunteer staff, which are based around the world and keep a PO Box in Washington state, responded that it would only fulfill the request if it was sent by a U.S. authority. After that, the author of the emails stopped corresponding. Toontown volunteers shared information about the phony request with investigators at the Department of Homeland Security, who have been investigating the practice of fraudulent emergency data requests.
A representative for Homeland Security didn't immediately respond to a request for comment.
Forged legal requests designed to acquire personal information is a growing problem, according to multiple law enforcement officials. Major technology companies are working on new ways to verify legal request as a result, the people said.
“Fraudulent EDRs break the trust in legitimate legal process, and perpetuate a long standing communication rift between the public and the private sectors,” said Matt Donahue, the founder of Kodex, which makes software for companies to manage legal requests. “This rift greatly impacts user safety, and data privacy, by slowing down responses to legitimate life and death situations.”